No One Solution in the Cybersecurity War

Banks, and third parties they work with, face a dizzying array of security attacks like never before.

In the fallout of the data breach that affected Target, Neiman Marcus, and other major retailers, many solutions have been proposed to ensure similar incidents don't happen in the future.

Many have claimed that a switch to EMV cards in the U.S. market would hinder future attacks such as these. In fact, Target CEO Gregg Steinhafel is one such advocate. In a CNBC interview shortly after the breach was made public he used the opportunity to push for EMV adoption in the U.S. Additionally, Target CFO John Mulligan told the Senate Judiciary Committee recently that the company is speeding up the process of implementing EMV-enabled POS terminals at its stores. He said the company's own credit cards would be EMV-enabled by the end of 2014, and all Target stores would be ready to accept EMV cards of any kind by January 2015.

But some warn that migrating to EMV cards won't be a catch-all solution to prevent all card fraud in the future. According to Dan Ingevaldson, CTO of security solutions provider Easy Solutions, EMV technology would not have prevented the Target fraud from happening. He says that the malware that affected Target was looking for account information in the memory inside point-of-sale (POS) devices, where it's unencrypted. Therefore, Ingelvadson says, the criminals would have been able to obtain this information even if it came from chip and PIN cards, since the stolen information was not directly taken off the cards themselves.

Further, he says that while EMV technology makes it harder for criminals to clone cards, and is generally more secure at the POS terminal than regular magnetic stripe cards, they still don't protect against card-not-present fraud. Further, he notes that retailers have to actually accept EMV cards for it to be effective. Ingevaldson says in Columbia, where EMV cards were meant to be mandatory in 2013, many merchants still simply swipe the magnetic stripe of the card when processing a transaction instead of using EMV-compliant technology to do it.

Meanwhile DDoS attacks continue to be on the rise as well. Security vendor Prolexic reports that mobile applications are increasingly being used in DDoS attacks against enterprise customers. The company said financial services firms continue to be a prime target of such attacks.

“The prevalence of mobile devices and the widespread availability of downloadable apps that can be used for DDoS is a game changer,” says Stuart Scholly, president of Prolexic. “Malicious actors now carry a powerful attack tool in the palm of their hands, which requires minimal skill to use. Because it is so easy for mobile device users to opt-in to DDoS attack campaigns, we expect to see a considerable increase in the use of these attack tools in 2014.”

With the ever-changing fraud and security landscape, banks simply must be more vigilant than ever before, notes Colin Eccles, CIO of Webster Bank. He says information security is top of mind at Webster, and the bank works very closely with third parties regarding data security as well.

"In the past banks only had to rely on protecting themselves," he says. "Now you have to be vigilant with every third-party you work with. You can never be content"

Bryan Yurcan is associate editor for Bank Systems and Technology. He has worked in various editorial capacities for newspapers and magazines for the past 8 years. After beginning his career as a municipal and courts reporter for daily newspapers in upstate New York, Bryan has ... View Full Bio

Yep, just like risk of being robbed or flooded out or anything else in the past, cyber risk is another vector. That's why insurers are keen on offering products to cover it Gă÷ of course, they are themselves dealing with the cyber risk internally.

That's a very good point, I can't imagine this "war" will ever end, I don't think there will ever be a shortage of greedy criminals in the world. You are correct that this is more of an ongoing business condition.

Correct. The cyber 'war' may never be over and it will never be won. There will always be a new threat or tactic. One way for banks to continue to 'raise the bar' against cyber criminals is to start working together and sharing intelligence. I know it is starting to happen, but it isn't comprehensive. Law enforcement (local and state police, FBI) knows that working together makes the job easier, but they sometimes still have turf battles. Same with financial crime: the banks, issuers, clearing houses and exchanges all know that working together is a good idea, it just takes a lot of work to get things going.

Your observation is right on. If this is a war, it's a war of attrition, with skirmishes, attacks and battles, but peace is elusive (if impossible). (Kind of like how some have suggested we rethink the "war on terror" -- but that's a topic for a different article.) As you note, "cyber-crime is a new constant" -- and thinking of today's fraudsters akin to business competitors I think is a very useful model, since increasingly these crime rings are organized and operated as global business operations. A related point, which Bryan's sources alude to, is that the search for an absolute and all-encompassing solution is not what's required (although politicians and the mass media will demand this). EMV makes sense and is necessary, but won't prevent all crimes. That's not a reason not to pursue it, but it has to be implemented along with many other technologies and practices. And what is effective today probably won't be next year.

It's perhaps a little off kilter to think of the current state of cyber-security and cyber threat levels as a "war". Wars, in theory, can be won, they can be lost and they are often thought to have a finite time element. Unfortunately, the threat of fraud, exploit and crime against online commerce and finance is permanent. It's best to think of it as a business or market "condition". Just as competitors compete against a business with product enhancements or lower prices via cost efficiencies, banks will have to recognize that the threat of cyber-crime is a new constant. They will have to out-develop, out-think and out-maneuver the mischief makers, and keep right on doing it in a cost effective way.The fact that is was an issuing bank that discovered there may have been a major breach at Target via their "intelligence operations" suggests that some banks understand this new reality.